Ii. Web attack and Prevention 1, XSS attack
Cross Site scripting attacks (Scripting) because shorthand CSS, which is ambiguous with cascading style sheets (cascading style Sheets), is named XSS
Principle: Embed malicious script in Web pages, execute in client browser (such as user input data converted to code execution)
Prevention: input data HTML escape processing (Mainstream framework default support)
2. Injection attack
Rationale: SQL masquerading as an HTTP request parameter
For example, a login operation, enter the account password
Suppose the SQL in the background is assembled like this: Select * from user where Username = ' entered account number ' and password= ' entered password '
Then, I enter the account from the client: admin input Password: ' or ' 1 ' = ' 1
After uploading to the background, the assembly result becomes: Select * from user where username = ' admin ' and password= ' or ' 1 ' = ' 1 '
The result is to be able to detect the data, the background to think the account and password correct
Precautions: Using Precompiled statements (PreparedStatement), using ORM Framework, avoiding plaintext storage of passwords, exception handling (avoid exceptions directly to the foreground)
3. CSRF attack
Cross-site Request forgery
Principle: The user logs on to site A in the browser, generates a cookie, and then visits a malicious site b,b requires access to a, you can take a cookie to access a site, so that B site without authentication and authorization to obtain a site data
Precautions: Cookies are set to HttpOnly; add custom tokens; use Referer (know the source of the request)
Not primarily by developers
4. File Upload Vulnerability
Principle: Upload executable files and scripts; Do not validate uploaded files; get server permissions
Precautions: Determine file type (JPEG:FFD8FF) according to file magicnumber; file length limit; Use a third-party framework
5. DDoS attacks
Distributed denial of service attacks (distributed denial of service)
Dos: Use reasonable client requests to consume excessive server resources so that legitimate users cannot use the service
DDos: A huge number of calculator joint attacks, these calculators are distributed
Method: Syn Flood forged SYN message; DNS query Flood;http Flood
6. Other attacks
DNS domain name hijacking, CDN return source Total, server privilege elevation, buffer overflow
"System security" two, Web attack and prevention